Identity and Access Security: Challenging Corporate Thinking
Organisations around the world are facing more security threats to their business than ever before. High-level fraud, breaches of confidentiality, crippling cyber attacks and data theft by their own employees are just some of the issues that companies have to contend with and plan for. These security threats can also necessitate taking a more tangible approach to security in cases where controlling physical access to premises is high on the agenda.
As soon as lurking security risks are exposed, they can exact a costly penalty in terms of reputational damage, eroding the confidence of investors and the market. This can be disruptive to a company’s operations and can even have a knock-on impact on customer service.
At the same time, companies are also wrestling with swathes of regulations, such as Sarbanes-Oxley (SOX), ISO 9000 and Basel II, which require them to take a more consistent and comprehensive approach to risk management, corporate governance and compliance in their day-to-day operations.
Successfully managing physical and logical access to high-value resources or sensitive data is one of the most effective ways for companies to protect themselves against the barrage of threats they now face. Driven by these corporate imperatives, identity and access management (IAM) is fast securing its position as a cornerstone of information security, with a growing number of organisations recognising the potential benefits of an effective IAM programme in terms of cost savings, better service levels, tighter IT governance and improved regulatory compliance.
A survey carried out by technology and market research firm Forrester found that over 75% of enterprise IT security professionals in the UK, France and Germany feel that governance, risk and compliance are motivating them to consider IAM solutions for their organisation.
So if the majority of IT professionals recognise the need to implement IAM, why has this so far failed to translate into wide-scale adoption?
One of the foremost barriers to adoption cited by companies that have considered – but reluctantly decided against – IAM is the cost issue. The ravages of the recession have blown a sizeable hole in the IT budgets of many organisations, with other corporate issues sometimes prioritised over IT security. However, when a company slashes its IT budget, it can leave itself dangerously exposed to security and financial risks where the money saved by reducing budgets can soon be more than swallowed up by the costs of security breaches. While it is impossible wholly to quantify the financial impact of security incidents, the Ponemon Institute estimates that data breaches cost around £60 per compromised record. According to a survey by Datamonitor, smart card security solutions can actually result in a saving of more than US$2m for every 2,000 employees.
A further reason why IAM has not yet been broadly taken up by organisations is because it is still viewed in some quarters as a tactical rather than a strategic implementation. Too many companies still treat IAM as a series of ad hoc projects instead a process that is as dynamic as their company itself. But adopting a scattergun approach to IAM across an organisation can be counterproductive, to say the least. Juggling multiple, mutually exclusive systems is doomed to failure. Not only is this an expensive and resource-intensive way to approach IAM, but the lack of integration or co-ordination between these systems generates substantial – and unnecessary – complexity. This often leads to a lack of buy-in from senior management and thus a lack of engagement among employees themselves.
The banking industry knows all too well that managing identities is inherently difficult at the best of times; the existence of multiple, disparate identities for each user within the organisation is nothing short of a nightmare for IT managers. If users are using several identities to access information stored in multiple locations, it can be very complicated to bring this information together into a single format when systems are combined.
A recent survey by IT security firm Sophos revealed that a third of respondents use one password across multiple sites. This means that if one account is compromised, all accounts are vulnerable. A username/password combination is still the most popular method of accessing IT systems, but its shortcomings are well documented.
Companies at the cutting edge of secure corporate ID cards have developed a novel two-factor authentication approach to managing and protecting access control within their organisations. The user has to provide a hardware token (corporate identification card) in addition to a secret PIN to strengthen the overall security of a desktop log-on. Even better, the very same smart card can be used to control physical access to the company’s premises, making this kind of solution one of the most effective, cost-saving methods to protect workplace and data security.
Smart card technology is becoming increasingly advanced; cards can now offer three levels of security: single, dual or three-factor authentication. With single-factor authentication, using the card on its own will grant access to a system or open a door. Dual-factor authentication adds an extra level of security in the form of a PIN. Three-factor authentication goes a step further, using a PIN and an extra security measure such as a biometric scan.
Smart cards are also finding effective applications outside the corporate world. Smart card technology is now helping to solve some longstanding thorny issues in the healthcare sector, such as safeguarding patients and staff while protecting confidential patient information. In the UK, for example, many hospitals are now waking up to the benefits of using smart cards to control physical access to their buildings and add logical security to the IT networks that house confidential patient data.
In the past, it was relatively easy for an intruder to walk unchallenged around a hospital, accessing areas meant only for authorised staff. In rare cases, this led to security breaches where babies were taken from paediatric wards. Smart cards are addressing this physical access problem by using encryption to offer differing levels of building access to certain staff. Properly implemented, IAM solutions can help companies by fortifying the security of their data and their business, while making it far easier for users to access the information they need. In simple terms, the challenge for any organisation implementing an IAM system is to bring together physical access control and logical security to establish how they can work better for the needs of the business.
In today’s increasingly risk-conscious environment, IAM is fast becoming a basic, non-negotiable part of corporate IT infrastructure – although IAM is designed to deal with some big security challenges, it does so with a straightforward, common sense approach.
Portable and secure, smart cards are becoming an increasingly valuable tool for safeguarding physical security and guaranteeing the privacy of sensitive electronic information across corporations, hospitals, government agencies, and any organisation seeking heightened security solutions. When you weigh up the benefits of IAM solutions against the costs of reputational damage, security breaches and non-compliance, IAM can offer outstanding value by saving time and money while protecting an organisation’s assets.
With a wide variety of reader technologies to choose from, it’s important to ensure that the technology selected properly balances risk, cost, and convenience factors. Prox technology is a viable choice, especially for sites where there are existing Prox cards in use, but contactless smart cards represent the next generation Prox technology and offer all of the convenience of Prox along with increased security and additional benefits, such as multiple applications, read/write and increased memory.
However, when selecting a vendor’s system, be aware that some manufacturers, in an attempt to sell ‘universal’ readers capable of reading almost any contactless smart card, bypass the security measures of contactless smart cards in order to achieve their goal. These readers, known as ‘CSN readers’, only read the card’s serial number, which, as per ISO standards, are required to be able to be read by any reader, for the express purpose of being able to read multiple cards presented to a reader at the same time. Furthermore, because the ISO specifications are publicly available, details of how this process works can be employed by unknown persons to gain unauthorised access.
Access control readers typically read a card and send the card data to another ‘upstream’ device such as a panel, which decides whether to allow access. When this communication takes place using wires, the most popular method is the Wiegand Protocol because it’s almost universally supported by all vendors. Although more modern protocols such as RS485 and TCP/IP offer more security, there is less interoperability between different manufacturers of readers and panels.
Installing the security system’s wiring in conduits makes it more difficult to compromise due to the difficulty of identifying the correct conduit. Additionally, bundling several wire runs together so that identifying the correct set of wires is more difficult is also desirable. Avoid the use of readers with built-in connectors that are easy to swap out with an unauthorised reader and connect wires in a permanent fashion by soldering.
Utilise security screws that require special tools to remove a reader. This makes the removal process longer and more difficult, and increases the possibility that a malicious attack will be noticed.
Buy readers with a tamper detect mechanism that provides a signal when the reader has been removed. If the reader is controlling a sensitive location, monitor it by CCTV. Many readers also have the capability of sending ‘health’ messages on a periodic basis to the upstream device which can also detect reader malfunctions. It’s better to know when a reader is not working before somebody complains they can’t get in.
The use of card readers with built-in keypads means lost cards cannot be picked up and used to enter a facility. It also reduces the threat of card cloning. The use of biometric readers ensures that the person presenting the card is the same person it was issued to and should be used at doors that require higher levels of security.
To prevent use of illegitimate cards that may have been fraudulently obtained, old cards should be voided immediately and only issued cards should be valid; don’t have pre-validated ‘spare’ cards ready to hand out. Some access control systems can also generate a different message than ‘just denied’ for cards that haven’t been entered in the system. Any messages reported by the host access control system with wrong formats, wrong site codes, or out of range should be immediately investigated.
It’s also advisable to use a card with a proprietary format or one that’s exclusive to a particular site. Cards with these formats are more difficult to illegally obtain, as compared to the industry standard open 26-bit Wiegand format. The utilisation of as many of these best practices as feasible, with attention to appropriate levels of security, will result in a system that better fulfills its intended function with less possibility of being compromised.